-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to configure "allowed domains" for CORS on DAV #40537
base: master
Are you sure you want to change the base?
Conversation
* Exclude DAV CORS handling when no Origin specified This will exclude non-browser clients from CORS handling. Fixes some clients like davfs which break when CORS is enabled. * fix: CORS on WebDAV is not working WebDAV is not working at all when used by on browser Javascript because the CORS headers are only present in the OPTION request, but not in the subsequent WebDAV methods. * This behavior is caused by a erroneous json_decode call while retriving the user's domains whitelist. It return an object, so the is_array always fails and no header are sent. * Add Access-Control-Expose-Headers - to allow clients to access certain headers * Adding many headers as allowed headers + add capability to read additional allowed headers from config.php
I removed the beforeController logic here due to the change of handling CORS since PR 28457[1] According to previous implementation, CORS was only allowed with methods that had @publicpage notation for preventing CSRF attacks. But in the latest PR by me, the current implementations is as follows: * maintain a white-list of domains for whom CORS is enabled * This list can be viewed and edited under settings -> personal -> security This implementation removes the need for `@PublicPage`[2]. [1] owncloud/core#28457 [2] owncloud/core#28864
b0a6b70
to
6955c85
Compare
6955c85
to
4c2f7b1
Compare
Also make sure to only return allowed methods for DAV responses Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
4c2f7b1
to
bcfaa85
Compare
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
return; | ||
} | ||
} catch (\InvalidArgumentException $e) { | ||
\OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); |
Check notice
Code scanning / Psalm
DeprecatedMethod Note
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); | |
\OC::$server->get(LoggerInterface::class)->debug('Invalid origin header was passed', ['origin' => $originHeader, 'exception' => $e]); |
apps/dav/lib/Server.php
Dismissed
@@ -130,6 +131,8 @@ | |||
$this->server->addPlugin(new ProfilerPlugin($this->request)); | |||
$this->server->addPlugin(new BlockLegacyClientPlugin(\OC::$server->getConfig())); | |||
$this->server->addPlugin(new AnonymousOptionsPlugin()); | |||
$this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); |
Check notice
Code scanning / Psalm
DeprecatedMethod Note
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can change to:
$this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); | |
$this->server->addPlugin(new CorsPlugin(\OC::$server->get(IUserSession), \OC::$server->get(IConfig::class))); |
With:
use \OCP\IConfig;
use \OCP\IUserSession
* @return DataResponse | ||
*/ | ||
public function updateUserEnabled($value) { | ||
if (!is_bool($value)) { |
Check notice
Code scanning / Psalm
DocblockTypeContradiction Note
|
||
// Reach here if it's valid | ||
$response = new \OC\OCS\Result(null, 100, 'OPTIONS request successful'); | ||
\OC_Response::setOptionsRequestHeaders($response, $this->config); |
Check failure
Code scanning / Psalm
InvalidArgument Error
This comment was marked as resolved.
This comment was marked as resolved.
I am coming from #37716 for which I was proposing #37896 . |
check if CORS support in login v2 and OAuth2 flow #34898(not yet)Summary
This adds CORS support to the DAV routes, the default is non breaking -> so no other domain is allowed.
But the admin can configure a list of allowed domains which will be allowed to access the DAV routes using CORS.
Moreover the admin can enable user defined lists, meaning that users can add their own allowed domains for WebDAV related requests, see #30964.
Why do we need CORS on DAV?
See #3131
Basically to access it within the browser from a different page, like e.g. the Dropbox file picker with allows you to pick files from your cloud onto another page (e.g. upload something from cloud to form etc).
Screenshot
Todo
Checklist